Vulnerability in firmware of some AMD Radeon graphics cards allows for RCE

The drivers for the two models of AMD Radeon graphics cards contain a vulnerability, the operation of which gives an attacker the ability to remotely execute third-party code through a guest account on a virtual machine.

This conclusion was reached by Cisco Talos engineers who published a description of the bug. Experts have published the technical details of the bug after the developers released the patch.

“Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 series while running VMWare Workstation 15”, — reported Cisco Talos researchers.

To exploit the vulnerability, an attacker needs to prepare a special pixel in the guest virtual machine and send it to the ATIDXX64.DLL library. Som resultat, the driver function sub_32B820 will be called with a specific argument, which will allow the attacker to carry out controlled damage to the mware-vmx.exe process memory on the host and execute malicious code.

The problem is present in driver versions 25.20.15031.5004 og 25.20.15031.9002 for Radeon 550 and RX 550 video cards. To exploit the vulnerability, the VMware Workstation device must have version 15.0.4 build-12990004, as well as 64-bit Windows 10.

Læs også: Researchers discovered 125 vulnerabilities in 13 models of routers and NAS

Researchers discovered a bug and reported it to AMD back in May of this year, and for several months worked with the company’s specialists to create a patch. On September 16, a new version of the driver containing a patch appeared on the vendor’s site. The vulnerability is registered as CVE-2019-5049 and experts rate it 9 points on the CVSS scale.

In June, AMD had to release a patch for Secure Encrypted Virtualization (SEV) system software that implements memory protection for virtual machines under Linux. The bug allowed cybercriminals to find out one part of the secret PDH key used to encrypt data and gain access to the system data of the target host.

Om forfatteren

Valdis Kok

Sikkerhedsingeniør, reverse engineering og memory forensics

Efterlad en kommentar